Digital risk assessment

From California Technology Festival Wiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

There's a continuum when talking about security

  • High Security => Lower Function
  • Low Security => Faster Response
  • Different contexts require different contexts of discussion
  • Women have a great intuitive sense of risk assessment
Real security is about processes and people, not tools
—Ken


Questions to Ask About Data You Want to Secure?

1. What Am I Trying to Protect

  • List of addresses
  • social security numbers
  • contacts of activists
  • Info on my phone

2. Who am I protecting it from?

  • Government
  • Crackers (malicious hackers)
  • Commercial entities
    • Paid shills/moles
    • Koch brothers counter-intelligence

3. What Happens if the Data Leaks?

  • CA has notification laws
  • What could happen to individuals and businesses? There may be monetory penalties
  • Even nonprofits can be sued over data breaches
  • Think up best/mid/worst case scenarios

4. What Am I Willing to Do to Protect it?

  • Will I encrypt it and what level of encryption is appropriate?
    • End to end? General?


Culture of Security

  • Fundamental piece of security is open communication with your team
  • Keep each other informed about what sensitive stuff is going on
  • You can't secure what you don't know

Data Containerization

  • Depending on the risk level, Ken's org will store different stuff on different servers
  • Must assess what you're collecting and decide what must be done with it
  • There are laws regarding storage of things like credit card info and medical info
    • That's why you should outsource responsibility when needed
    • Storing CC info is a lawsuit waiting to happen. Let your payment processor handle it. They're better at it

Context Matters

  • If you're involved with confrontational politics, you're going to want to utilize higher security measures
  • The government has a long, shameful history of counterintelligence, subversion, surveillence, and illegal action against political bodies
  • It's important to understand the big picture of surveillance and understand where exactly we fit into this picture


Tools

  • Sophos Point Protection
    • Data loss protection
    • Notifies you of downloads and uploads
    • Staff click-through tracking
  • LastPass password managment
    • Great nonprofit discount if you ask for it
  • Two-Factor Authentication
    • Must perform second, person specific action to log in
  • Federated Login
    • Like when you can `Log in with Google` to a service like StackOverflow
Retrieved from "https://catechfest.aspirationtech.org/index.php?title=Digital_risk_assessment&oldid=343"